Some organizations may worry about shoulder surfing. The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The statement "PIN is stronger than Password" isn't directed at the strength of the entropy used by the PIN. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. For that matter, the Windows client doesn't have a copy of the current PIN either. The server doesn't have a copy of the PIN. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). With passwords, there's a server that has some representation of the password. The Windows Hello for Business PIN isn't a symmetric key, whereas a password is a symmetric key.
0 kommentar(er)
